Most UK SMEs buy between £250K and £1M of cyber-liability cover. The correct figure for you depends on your likely recovery costs, lost revenue and third-party liabilities.
This article explains how to size the limit and get value for money.
Why cyber‑insurance matters but isn't a silver bullet
- Half of UK businesses reported at least one breach in the last year. The single most disruptive incident cost the average SME £1,205 in direct out‑of‑pocket expenses, and far more for larger firms.
- In finance and other regulated sectors, total costs (forensics, legal, customer redress, PR) frequently run into six or seven figures. Average ransomware payments exceeded £438,500 in late 2024.
- A cyber‑policy will not stop an attack, but it can fund 24 × 7 incident‑response specialists, data restoration, business‑interruption losses and third‑party claims.
Baseline cover you may already have
If you hold Cyber Essentials certification, you automatically qualify for an IASME cyber‑liability add‑on worth £25,000 (provided turnover is under £20 m and the whole organisation is in scope).
This is useful "first‑aid" but rarely enough for a severe outage, so most CCE-certified firms still buy top‑up insurance.
What are other SMEs buying in 2025
Smaller businesses with less than £2M in revenue typically have a £100K to £250K indemnity limit to cover forensic response plus a few days of downtime.
General SMEs in the £2M to £50M revenue bracket would typically have £250K to £1M in cover, matching a few weeks' gross profit and some third-party liability.
Regulated finance or fintech companies would need more cover, in the £1M to £5M bracket, which allows for FCA scrutiny, customer claims and reputation management.
A quick formula to double-check your oumber
1. Business interruption
Daily gross profit x realistic worst-case downtime.
2. Incident-response costs
Hourly rates for digital forensics, legal counsel, PCI/GDPR reporting, credit-monitoring, and PR.
3. Data-breach liability
Potential compensation to customers, staff, or lenders if personal data is exposed.
4. Regulatory exposure
FCA, ICO or sector-specific fines where insurable.
5. Ransomware scenario
Insurers do not reimburse illegal ransom payments, but cover the negotiation and rebuild costs. The current average demand is > £400 K.
5 policy features worth paying for
| Must-have wording |
Why it matters |
| 24/7incident response hotline |
Minutes count; you need experts on the case immediately |
| Business‑interruption cover on gross profit |
Replaces lost margin, not just turnover |
| Social‑engineering and invoice‑fraud losses |
Still excluded by some older policies |
| Bricking and hardware replacement |
Covers devices rendered unusable by malware |
| Regulatory and PCI fines (where legal) |
Particularly important for finance and payment data |
Technical controls insurers expect
- Multi-factor authentication, including for remote admin tools.
- Secure backups that are tested regularly.
- Endpoint detection and response with a managed SOC
- Ongoing user awareness training and phishing drills
Regulatory disclaimer
Superfast IT is not authorised by the Financial Conduct Authority to advise on or arrange insurance. The guidance above is general cyber‑risk commentary only. Please speak to an FCA‑authorised broker or insurer for regulated advice and placement.
